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Abstract —In this paper, we present a zero-forcing (ZF) attack 
on the physical layer cryptography scheme based on massive 
multiple-input multiple-output (MIMO). The scheme uses sin¬ 
gular value decomposition (SVD) precoder. We show that the 
eavesdropper can decrypt/decode the information data under the 
same condition as the legitimate receiver. We then study the 
advantage for decoding by the legitimate user over the eaves¬ 
dropper in a generalized scheme using an arbitrary precoder 
at the transmitter. On the negative side, we show that if the 
eavesdropper uses a number of receive antennas much larger 
than the number of legitimate user antennas, then there is no 
advantage. Independent of the precoding scheme employed at the 
transmitter. On the positive side, for the case where the adversary 
is limited to have the same number of antennas as legitimate 
users, we give an O (n^) upper bound on the advantage and show 
that this bound can be approached using an Inverse precoder. 

Index Terms —Physical Layer Cryptography, Massive MIMO, 
Zero-Forcing, Singular Value, Precoding. 

I. Introduction 

Recently, an interesting new approach for physical security 
in massive multiple-input multiple-output (MIMO) communi¬ 
cation systems was introduced by Dean and Goldsmith m 
and called “Physical layer cryptography”, or a massive MIMO 
physical layer cryptosystem (MM — PLC). In this scenario, 
the channel state information (CSI) is known at the legitimate 
transmitter as well as all the other adversaries and legitimate 
receivers. The eavesdropper has also the knowledge of the 
CSI between legitimate users. The idea is to replace the 
information-theoretic security guarantees of previous physical 
layer security methods with the weaker complexity-based 
security guarantees used in cryptography. More precisely, the 
idea of IT] is to precode the information data at the transmitter, 
based on the known CSI between the legitimate users, so that 
the decoding of the received vector would be computationally 
easy for the legitimate user but computationally hard for the 
adversary. The goal of this approach is to trade-off a weaker, 
but still practical, complexity-based security guarantee in order 
to avoid the less practical additional assumptions required by 
existing information-theoretic techniques, such as higher noise 
level in 0, Q, ® and/or less antennas for the adversary 
than for legitimate parties in IH, while still retaining the “no 
secret key” location-based decryption feature of physical-layer 
security methods. 

In 0, a MM — PLC is presented that is claimed to achieve 
the above goal of the complexity-based approach, using a 
singular value decomposition (SVD) precoding technique and 
m-PAM constellations at the transmitter. Namely, it is claimed 
that, under a certain condition on the number rtt of legitimate 
sender’s transmit antennas and the noise level /3 in the adver¬ 
sary’s channel (which we call the hardness condition of 0), 


the message decoding problem for the adversary (eavesdrop¬ 
per), termed the MIMO — Search problem in 0, is as hard to 
solve on average as it is to solve a standard conjectured hard 
lattice problem in dimension rit in the worst-case, in particu¬ 
lar, the GapSVPpQ[y(jj^j variant of the approximate shortest 
vector problem in arbitrary lattices of dimension rit, with 
approximation factor polynomial in For these problems, 
no polynomial-time algorithm is known, and the best known 
algorithms run in time exponential in the number of transmit 
antennas rit, which is typically infeasible when nt is in the 
range of few hundreds (as in the case of massive MIMO). 
Significantly, this computational hardness of MIMO — Search 
is claimed to hold even if the adversary is allowed to use a 
large number of receive antennas n'^ = poly(nt) polynomially 
larger than n* and used by the legitimate parties, and 
with the same noise level as the legitimate receiver (/3 = a). 
Consequently, under the widely believed conjecture that no 
polynomial-time algorithms for GapSVPpQjy^^^^^) in dimen¬ 
sion nt exist and the hardness condition of 0, the authors 
of 0 conclude that their MM — PLG and the corresponding 
MIMO —Search problem is secure against adversaries with 
run-time polynomial in n*. 

Our Contribution. In this contribution, we further analyse 
the complexity-based MM — PLG initiated in 0, to improve 
the understanding of its potential and limitations. Our contri¬ 
butions are summarized below: 

• We show, using a linear receiver known as zero-forcing 
(ZF) Q, an algorithm with run-time polynomial in nt 
for the MIMO — Search problem faced by an adversary 
against the MM — PLG in 0. We analyze the decoding 
success probability of this algorithm and prove that it 
is > 1 — o(l) even if the hardness condition of 0 
is satisfied, if the ratio y' = n'.j.lnt exceeds a small 
factor at most logarithmic in nt, i.e. y' = O{\ognt). 
This contradicts the hardness of the MIMO —Search 
problem conjectured in 0 to hold for much larger 
polynomial ratios y' — C>(poly(nt)). Moreover, we show 
that the decoding success probability of an adversary 
against the MM — PLC of 0 using the ZF decoder is 
approximately the same (or greater than) as the decoding 
success probability of the legitimate receiver if n'^ is 
approximately greater than or equal to nr, assuming an 
equal noise level for adversary and legitimate receivers. 
Our first contribution implies that the SVD precoder- 
based MM — PLC in 0 still requires for security an 
undesirable assumption limiting to be less than that 
of the legitimate receiver, similar to previous information- 
theoretic techniques. 


• As our second contribution, we investigate the potential 
of the general approach of m assuming ZF decoding 
by the both adversary and legitimate receiver, by study¬ 
ing the generalized scenario where one allows arbitrary 
precoding matrices by the legitimate transmitter in place 
of the SVD precoder of the scheme in 111. To do so, 
we define a decoding advantage ratio for the legitimate 
user over the adversary, which is approximately the ratio 
of the maximum noise power tolerated by the legitimate 
user’s decoder to the maximum noise power tolerated 
by the adversary’s decoder (for the same “high” success 
probability). We derive a general upper bound on this 
advantage ratio, and show that, even in the general 
scenario, the advantage ratio tends to 1 (implying no 
advantage), if the ratio n'^j max(nt,nr) exceeds a small 
constant factor (< 9). Thus a linear limitation (in the 
number of legitimate user antennas) on the number of 
adversary antennas seems inherent to the security of this 
approach. On the positive side, we show that, in the case 
when legitimate parties and the adversary all have the 
same number of antennas (nj. — rir = nt), the upper 
bound on the advantage ratio is quadratic in rit and we 
give experimental evidence that this upper bound can be 
approximately achieved using an inverse precoder. 

Notation. The notation b denotes that the real number a 
is much greater than b. We let \z\ denotes the absolute value 
of z. Vectors will be column-wise and denoted by bold small 
letters. Let v be a vector, then its j-th entry is represented 
by vj. A fci X ^2 matrix X = [xi,...,Xfe 2 ] is formed by 
joining the fci-dimensional column vectors xi,... ,Xk 2 - The 
superscript * denotes transposition operation. We make use 
of the standard Landau notations to classify the growth of 
functions. We say that a function F{n) is poly(n) if it is 
bounded by a polynomial in n. The notation uj{F{n)) refers 
to the set of functions (or an arbitrary function in that set) 
growing faster than cF{n) for any constant c > 0. A function 
G{n) is said negligible if it is proportional to If X is 

a random variable, P[X = a;] denotes the probability of the 
event “X = x”. The standard Gaussian distribution on K with 
zero mean and variance is denoted by A/^ 2 . We denote by 
w ^ V the assignment to random variable w a sample from 
the probability distribution V. 

IT System Model 

We first summarize the notion of real lattices and SVD (of 
a matrix) which are essential for the rest of the paper. A 
fc-dimensional lattice A with a basis set {£i,... ,£k} C 
is the set of all integer linear combinations of basis vectors. 
Every matrix Mgxt admits a singular value decomposition 
(SVD) M = USV*, where the matrices Usxs and Vjxt are 
two orthogonal matrices and S^xt is a rectangular diagonal 
matrix with non-negative diagonal elements (7i(M) > • • • > 
(Ts(M). By abusing the notation, we denote the Moore- 
Penrose pseudo-inverse of M by M“^, that is 
where the pseudo-inverse of S is denoted by and can 
be obtained by taking the reciprocal of each non-zero entry 
on the diagonal of S and finally transposing the matrix. 


A. Dean-Goldsmith Model 

We consider a slow-fading Ml MO wiretap channel model. 
The rij. x rit real-valued Ml MO channel from user A to user 
B is denoted by H. We also denote the channel from A to the 
adversary E by an n'^ x rit matrix G. The entries of H and G 
are identically and independently distributed (i.i.d.) based on a 
Gaussian distribution A/j. These channel matrices are assumed 
to be constant for long time as we employ precoders at the 
transmitter. This model can be written as: 

/ y = Hx -t- e, 

\ y' = Gx-Fe'. 

The entries Xi of x € K"*, for 1 < i < nt, are drawn from 
a constellation X = {0,1,..., m — 1} for an integer m. The 
components of the noise vectors e and e' are i.i.d. based on 
Gaussian distributions and Nrrfipi, respectively. We 

assume a = /3 to evaluate the potential of the Dean-Goldsmith 
model to provide security based on computational complexity 
assumptions, without a “degraded noise” assumption on the 
eavesdropper. In this communication setup, the CSI is available 
at all the transmitter and receivers. In fact, users A and B 
know the channel matrix H (via some channel identification 
process), while adversary E has the knowledge of both channel 
matrices G and H. The knowledge of H allows A to perform 
a linear precoding to the message before transmission. More 
specifically, in m, to send a message x to B, user A performs 
an SVD precoding as follows. Let SVD of H be given as 
H = USV*. The user A transmits Vx instead of x and B 
applies a filter matrix U‘ to the received vector y. With this, 
the received vectors at B and E are as follows: 

J y = Sx-Fe, 

\ y' = GVx-Fe', 

where e = U*e. Note that since U* and V are both orthogonal 
matrices, the vector e and the matrix G^ = GV continue to 
be i.i.d. Gaussian vector and matrix, with components of zero 
mean and variances and 1, respectively. 

B. Correctness Condition 

Although Dean-Goldsmith do not provide a correctness 
analysis, we provide one here for completeness. Since S = 
diag((Ti(H),... ,(t„j(H)) is diagonal, user B recovers an 
estimate Xi of the i-th coordinate/layer Xi of x, by per¬ 
forming two operations dividing and rounding as follows: 

= Xi [ei/cTi (H)J. It is now easy to see 
that the decoding process succeeds if |ei| < |cri(H)|/2 for 
all 1 < i < nt- Since each et is distributed as the 

decoding error probability, P(B|H) that B incorrectly decodes 
X, is, by a union bound, upper bounded by nt times the 
probability of decoding error at the worst layer: 

P(B|H) < (|u;| < |a„,(H)|/2) 

= ntP^^M (|w| < |cr„j(H)|/(2TOa)) (1) 

< nt exp (-|cr„j(H)p/(8TO^Q;^)), 

where we have used the bound exp(—a:^/2) on the tail of the 
standard Gaussian distribution. By choosing parameters such 
that < |cr„j(H)p/(8log(nt/£)), one can ensure that 

B’s error probability P(B|H) is less than any £ > 0. 


C. Security Condition 

Unlike decoding by user B, for decoding by the adversary E, 
the authors of m claimed that the complexity of a problem 
called in m the “Search” variant of the “MlMO decoding 
problem” (to be called Ml MO — Search from here on), namely 
recovering x from y' = G^x + e' and Gy, with non- 
negligible probability, under certain parameter settings, upon 
using massive Ml MO systems with large number of transmit 
antennas rit, is as hard as solving standard lattice problems in 
the worst-case. More precisely, it was claimed in m that, upon 
considering above conditions, user E will face an exponential 
complexity in decoding the message x. The above cryptosys¬ 
tem is called the Massive Ml MO Physical Layer Cryptosystem 
(MM — PLC), and the above problem of recovering x from 
y' is called in 111 the “Search” variant of the “MlMO de¬ 
coding problem”. For our security analysis, we focus here 
for simplicity on this Ml MO —Search variant. We say that 
the Ml MO — Search problem is hard (and the MM — PLC is 
secure in the sense of “one-wayness”) if any attack algorithm 
against Ml MO — Search with run-time poly (rit) has negligible 
success probability More precisely, in Theorem 1 

of O, a polynomial-time complexity reduction is claimed 
from worst-case instances of the GapSVP„^/„ problem in 
arbitrary lattices of dimension rit, to the MIMO — Search 
problem with n* transmit antennas, noise parameter a and 
constellation size m, assuming the following minimum noise 
level for the equivalent channel in between A and E holds: 

ma > (2) 

The reduction is quantum when m = poly(nt) and classical 
when m = 0(2"*), and is claimed to hold for any polynomial 
number of receive antennas n'y = poly(nt). We show in the 
next Section, however, that in fact for ma < cn'^/\/\og rit 
for some constant c, there exists an efficient algorithm for 
MIMO — Search. Since (|^ is independent of the number of 
receive antennas n'y, the condition © turns out to be not 
sufficient to provide security of the MM — PLC. We will 
provide our detailed analysis in the next Section. 

III. Zero-Forcing Attack 

In this section, we introduce a simple and efficient attack 
based on ZF linear receivers a. We first introduce the attack 
and analyze its components. The eavesdropper E receives 
y' = G^x -F e'. Let G„ = U'S'(V')* be the SVD of the 
equivalent channel G^. Thus, we get y' = U'S'(V')‘x -F e', 
where both U' and V' are orthogonal matrices and S' equals 
diag(cri(G„),...,cr„,(G„)) = diag (cri(G),..., (t„,(G)), 
where the last equality holds since the singular values of G„ 
and G are the same. Note that E knows G„ and its SVD 
from the assumption that (s)he knows the channel between A 
and B. At this point, user E performs a ZF attack Q. S(he) 
computes 

y'= (G„)"V'=x + e', (3) 

where e' = (G„)“^e' = V'(S')“^(U')‘e'. User E is now 
able to recover an estimate i' of the i-th coordinate Xi of x, 
by rounding: i' = \yi\ = \x^ + e'J =Xi+\e[\. 

A. Analysis of ZF Attack 

We now investigate the distribution of e' in ([^. 


Lemma 1: The components of e' in Q are distributed as 
with ct| < (m2a2)/cr2^(G). 

Proof: Note that (U')*e' has the same distribution as e' 
since (U')‘ is orthogonal. Hence, Zj, the j-th coordinate of 
the vector z = (S')“^(U')*e' is distributed as 
for all I < j < rit- We also note that Zj’s are independent 
with different variances. Now let v' denotes the i-th row of 
V'. We hnd the distribution of 

nt 

ti = = J2 '^IjZ3- ( 4 ) 

f = l 

Since the linear combination at 0 is distributed as a linear 
combination of independent Gaussian distributions, f is dis¬ 
tributed as 


nt 

^ ^ (G) 


(5) 



(6) 


Since cr|(G) > cr^j(G), for all 1 < j < n*, the random 
variable ti is distributed as with 


2 2 
(jl_ = m a 


V, 


'' I 

^.J I 


nt 


< 




9 9 nt 

m a , , ,9 


(G)2^' 


2 2 
m^a 

<JGY 


(7) 


where the last equality holds because V' is orthogonal. ■ 
The above explained ZF attack succeeds if |e~'| < 1/2 for 
all 1 < z < Tit- Let Pzf(E|G) denotes the decoding error 
probability that E incorrectly recovers x using ZF attack. 
Based on Lemma [T] we have 

Pzf(E|G) < 2 (|w| < 1/2) 

^■e 

< ntPu,.i_>AAi (|tT| < |o'nt(G)|/(2mQ;)) . (8) 

By comparing ([T]) and we see that the noise conditions 
for decoding x by users B and E are the same if both 
users have the same number of receive antennas n/ = riy 
and the distributions of channels G and H are the same. 
This implies that user E is able to decode under the same 
constraints/conditions as B. Moreover, if n/ > Ur, then the 
adversary E is capable of decoding higher noise. 

B. Asymptotic Probability of Error for Adversary 

Before starting this section, we mention a Theorem from lO 
regarding the least/largest singular value of matrix variate 
Gaussian distribution. This theorem relates the least/largest 
singular value of a Gaussian matrix to the number of its 
columns and rows asymptotically. 

Theorem 1 Let M be an s x f matrix with i.i.d. 

entries distributed as Ni- If s and t tend to inhnity in such a 
way that s/t tends to a limit y G then 


r/(M)/s ^ (i - \/i7y) 

(9) 

■1{M)/s ^ [l + s/l/y\ , 

(10) 


almost surely. 

We now analyze the asymptotic probability of error for eaves¬ 
dropper using a ZF linear receiver. 






Theorem 2: Fix any real e^e' > 0, and y' G [l,cx)], and 
suppose that n'^/rit —>■ y' as rit —>■ cx). Then, for all sufficiently 
large n*, the probability Pzf(E) that E incorrectly decodes the 
message x using a ZF decoder is upper bounded by e, if 


< ((1 - a / W )^ - £') 

_ L 

81og(2nt/e) 


( 11 ) 


Proof: Let Q be the set of all channel matrices G such 
that cr^j(G) > n'^ ^(1 — \Jlly'Y — Note that G ^ Q 
with vanishing probability o(l) as rit -G oo, by Theorem 
We have: 


Pzf(e)=Pzp(e|g e g)P(G e g)+Pzp(E|G i g)P(G i g) 
<Pzp(E|Ge 0 )+P(G^e) 

< ntPw^Ni (kl < |o-nt(G)|/( 2 ma)) + o(l) 

< ntexp (-(t^^(G)/ (Sto^q;^)) + o(l) 

-<((l-\/W)^-e')^ 


< rit exp 


8mfa^ 


^(1), 


where the first inequality is due the facts that P (G S ()) < 1 
and Pzp(E|G ^ 0)^ {G f: Q) < P(G^^), the second 
inequality is true based on f) and Theorem [T] the third 
inequality uses the well-known upper bound exp (—a:^/2) 
for the tail of a Gaussian distribution and the last inequality 
follows from the definition of Q. By letting Pzp(E) < e, the 
sufficient condition ( [TT| l can be obtained. ■ 

Comparing conditions and ( [TT] ), we conclude that if y' 
exceeds a small factor at most logarithmic in rit, i-O- y' = 
O{logrit) we can have both conditions satisfied and yet The¬ 
orem]^ shows that MIMO ~ Search can be efficiently solved, 
i.e. this contradicts the hardness of the MIMO — Search prob¬ 
lem conjectured in Ul to hold for much larger polynomial 
ratios y' = 0(poly(nt)). 

To analytically investigate the advantage of decoding at B 
over E, we define the following advantage ratio. 

Definition 1: For fixed channel matrices H and G, the 
ratio 

adv4a2^(H)/<(G), (12) 

is called the advantage of B over E. 

We note from Q and that adv is the ratio between the 
maximum noise power tolerated by B’s ZF decoder to the 
maximum noise power tolerated by E’s ZF decoder, for the 
same decoding error probability in both cases. First, we study 
this advantage ratio asymptotically. We use Theorem to 
obtain the following result. 

Proposition 1: Let H„^xnt be the channel between A 
and B and G„'xnt be the channel between A and E, 
both with i.i.d. elements each with distribution A/j. Fix real 
y,y' e [l,oo], and suppose that tir/nt -G y and n'^/rit -G y' 
as nt —>■ oo. Then, using a SVD precoding technique in 
MM — PLC, we have adv —> (yfij — l)^/ {\/y' — l)^ almost 
surely as rit -G oo. 

Proof: Based on Theorem [T] for H and G, we have 

f Crnt(H)/nr ^ (1 - y/ITy)^ 

I '7np(G)/n; ^ (1 - v^V)^- 


Substituting the above two limits into ( |T^ and using rir/n^ = 
{rir!rit)!{n'^!rit) v/y' , the result follows. ■ 

Note that adv —1 is obtained in the case that y = y' , which 
is equivalent to rirln'j. -G 1. On the other hand adv —0, if 
y' jy = oo which is equivalent to n'^^lrir —>■ oo. 


C. General Precoding Scheme 

One may wonder whether a different precoding method 
(again, assumed known to E) than used above may provide 
a better advantage ratio for B over E. Suppose that instead 
of sending ic = Vx, user A precodes x = P(H)x, where 
P = P(H) is some other precoding matrix that depends 
on the channel matrix H. Then, given the channel matri¬ 
ces, the analysis given in Section shows that using ZF 
decoding, B’s decoding error probability will be bounded 
as nt exp(—(HP)/(8m^a^)), while E’s decoding error 
probability will be bounded as rit exp(—(GP)/(8m^a^)). 
Therefore, in this general case, the advantage ratio of maxi¬ 
mum noise power decodable by B to that decodable by E at 
a given error probability generalizes from ( [T^ to 

adv4tT2^(HP)/<(GP). (13) 


We now give an 
us hrst define 


upper bound on the advantage ratio Let 


advup = 


<(G)- 


Proposition 2: Let H and G be as in Proposition 
Then we have adv < advup. Furthermore, fix real y, y' € 
[l,oo], and suppose that rirlnt -G y and n'.j./nt —>■ y' 
as rit —t oo, so that n^/n^, —>• y'/y = p'. Then, using 
a general precoding matrix P(H) in MM — PLC, we have 
advup —>■ (y/y + l) / {VW ~ l) almost surely as rit —t oo. 
Flence, in the case = rir and ?/' = y —>■ oo, we have 

advup —> 1. Moreover, if advup —> c for some c > 1, then 
min(?/', p') < 9. 

Proof: It is easy to see the two inequalities below hold 
for every H, G, and P: 


r a„,(HP)<ai(H)a„,(P), 
\ a„,(GP)>a„,(G)a„,(P). 


Flence, the advantage ratio ( [T3] l can be upper bounded as 

^f(HX(P) 


adv < 


a?(H) 




(G)<(P) aUG) 


= advup. (14) 


Using Theorem [T] for the the numerator and the denominator 
of the RHS of (|l4ll, respectively, and -G y/y', we get 


y(l + s/ljy)^ 

y’{l - yw)' 




In the case n'^ = rir and y = j/' —>■ oo, the lat¬ 
ter inequality gives advup —> 1. Also, the inequality 

{s/y + 1) / {W - l) > 1 implies (using y = y'/p') that 
< 1/(1 ~ 2/v^)^, and the RHS of the latter is < 9 for all 
y' > 9, which implies min(y',p') <9. ■ 


IV. Achievable Upper Bound on Advantage Ratio 


The above analysis shows that one cannot hope to achieve 
an advantage ratio greater than 1, if the the adversary uses 













a number of antennas significantly larger than used by the 
legitimate parties (by more than a constant factor). We now 
explore what advantage ratio can achieve if we add a new 
constraint to MM — PLC, namely the number of adversary 
antennas is limited to be the same as the number of legitimate 
transmit and receive antennas. That is, we study the advantage 
ratio when the channel matrices H and G are square matrices 
and not rectangular. We show that under this simple constraint 
n = rit = Tir = n'^, the advantage ratio is capable of getting 
larger than 1 and as big as O (n^). We employ the following 
result in our analysis. 

Theorem 3 OEI/).- Let M be atxt matrix with i.i.d. entries 
distributed as Afi. The least singular value of M satisfies 


lim P 


> X 


= exp (—a;^/2 — x) . 


(15) 


We note that for a similar result on the largest singular value 
for square matrices, Theorem H is enough. Using the above 
Theorem along with Theorem [W one can further upper bound 
and estimate the advantage ratio. More precisely, we have 

adv < <jl{U)/al{G) (16) 

^ 4n/CT^(G) = 4nV (ncr^(G)) , (17) 

where is obtained based on d- As n —>■ 00 , based 
on Theorem]^ the denominator of the RHS of ([T^ is 0(1) 
except with probability < £ for any fixed e > 0, and thus adv 
is O (n^) with the same probability. The following proposition 
is now outstanding. 

Proposition 3: Let e > 0 be fixed, H and G be n x n 
matrices as in Propositionwith n = rit = rir = n(,. Using a 
general precoder P(H) to send the plain text x, the maximum 
possible adv that B can achieve over E, is of order O (n^), 
except with probability < e. 

The above proposition implies that user B may be able to 
decode the message x, with noise power up to times greater 
than E is able to handle. Such an advantage was not available 
in MM — PLC scheme proposed in HI due to the lack of 
constraint on the number of receive antennas for E and the 
use of SVD precoder. We present below experimental evidence 
that this upper bound can be approached using an inverse 
precoder P(H) = This inverse precoder may not be 

power efficient as it may need a lot of power enhancement 
at A, however it gives us a benchmark on the achievable 
advantage ratio. In this framework, the equivalent channel 
between legitimate users is the identity matrix and the channel 
between users A and E is GH~^. In Fig. we have shown 
the value of logj^Q (adv) for 1000 square channel matrices of 
size n = 200. For refrence, we also plot the mean value along 
with logj^g (200^). Clearly, in most cases the advantage ratio 
© is within a small factor (compared to n?) of n^. 


V. Summary and Directions for Future Work 

Our results suggest several natural open problems for 
future work. The implied contradiction between our first 
contribution and the conjectured hardness of Ml MO — Search 
in m for n'^/rit = C7(poly(nt)) implies either a polynomial¬ 
time algorithm for worst-case GapSVPpQjyj-^^) or that the 
complexity reduction of Q (Theorem 1 of HI) between 
Ml MO — Search and GapSVPpQ[y(„^) does not hold under the 
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Fig. 1. The advantage ratio GD for 1000 square channels of size n = 200 
using inverse precoder. 


hardness condition of m. We believe the second possibility 
is the correct one, and that there is a gap in the proof of 
Theorem 1 of m. We do not yet know if the gap can be filled 
to give a worst-case to average-case reduction under a revised 
hardness condition. This is left for future work. 

Our generalized upper bound on legitimate user to adver¬ 
sary ZF decoding advantage suggests the complexity-based 
approach does not remove the needed linear limitation on the 
number of adversary antennas versus the number of legitimate 
party antennas, that is also suffered by previous information- 
theoretic methods. Can a more general complexity-based ap¬ 
proach to physical-layer security avoid this limitation? 

Finally, our positive result for the inverse precoder suggests 
that if the adversary is limited to have the same number 
of antennas as the legitimate parties, the complexity-based 
approach may provide practical security. This suggests the 
following questions: How secure is this inverse precoding 
scheme against more general decoding attacks (other than ZF)? 
Can a security reduction from a worst-case standard lattice 
problem be given for this case? How does the practicality 
of the resulting scheme compare to existing physical-layer 
security schemes based on information-theoretic security ar¬ 
guments? Can the efficiency of those schemes be improved 
by the complexity-based approach? 
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